CVE-2025-3522: Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened,...
Description
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Classification
CVE ID: CVE-2025-3522
Problem Types
Leak of hashed Window credentials via crafted attachment URLAffected Products
Vendor: Mozilla
Product: Thunderbird, Thunderbird
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 7.99% (scored less or equal to compared to others)
EPSS Date: 2025-04-21 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3522https://bugzilla.mozilla.org/show_bug.cgi?id=1955372
https://www.mozilla.org/security/advisories/mfsa2025-26/
https://www.mozilla.org/security/advisories/mfsa2025-27/